Junos
Highlighted
Junos

Login class / allow-configuration / deny-configuration

4 weeks ago

Hello,

 

Given the configuration:

 

set system login class Test-permissions idle-timeout 60

set system login class Test-permissions permissions all

set system login class Test-permissions allow-commands "(configure private)"

set system login class Test-permissions deny-commands "(configure)|(configure exclusive)"

set system login class Test-permissions allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input .*)"

set system login class Test-permissions deny-configuration "(protocols bgp disable)|(protocols isis disable)|(protocols mpls disable)|(protocols ldp disable)|(system login)|(interfaces lo0)|(interfaces.* vlan-tagging)|(interfaces.* flexible-vlan-tagging)|(interfaces.* per-unit-scheduler)|(interfaces.* disable)|(class-of-service interfaces.* output-traffic-control-profile)|(interfaces .* hierarchical-scheduler)|(interfaces.*)"

 

When I’m trying to execute a command that it is listed in allow-configuration, per example:

 

aminzat@R1# set interfaces ge-0/0/8 unit 0 family inet mtu 9

 

It works.

 

When trying to apply a filter on an interface it will not work.

# set interfaces xe-4/2/0 unit 200 family inet filter input Filter-100M-policing

error: permission denied for interfaces: Filter-100M-policing

 

Upon removing (interfaces.*)" this command works.

 

Is the configuration wrong, or it is a bug?

10 REPLIES 10
Highlighted
Junos
Solution
Accepted by topic author rocketfkinscience
2 weeks ago

Re: Login class / allow-configuration / deny-configuration

4 weeks ago

Hi rocketfkinscience, 

 

Greetings, 

 

This is a configuration issue. You will have to add the (interfaces .* unit .* family * inet * filter * input) along with existing configuration to the allow-commands as the filter has multiple types namely input and output and the configuration should match which type and then specify the name Filter-100M-policing.

 

Ideally you will have to configure the allow as below:

set system login class Test-permissions allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input)|(interfaces .* unit .* family * inet * filter * input .*)"

 

Please mark "Accept as solution" if this answers your query. 

 

Kudos are appreciated too! 

 

Regards, 

Sharat Ainapur

Highlighted
Junos

Re: Login class / allow-configuration / deny-configuration

4 weeks ago

Hi rocketfkinscience,

 

When i checked this in lab i see this config is working. Can you share the verison on which you are executing these commands.

1.PNG

 

 

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too

 

Kudos are appreciated too  Smiley Happy 

 

Regards,

Nadeem

Highlighted
Junos

Re: Login class / allow-configuration / deny-configuration

4 weeks ago

Hello All,

 

Greetings!

 

Once you dump the below config into the device, make sure you exit from the configuration mode(#) and enter back into config mode using "configure private"  with the specified user as configure private is the only command allowed to enter the configuration mode.

 

set system login class Test-permissions idle-timeout 60

set system login class Test-permissions permissions all

set system login class Test-permissions allow-commands "(configure private)"

set system login class Test-permissions deny-commands "(configure)|(configure exclusive)"

set system login class Test-permissions allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input .*)"

set system login class Test-permissions deny-configuration "(protocols bgp disable)|(protocols isis disable)|(protocols mpls disable)|(protocols ldp disable)|(system login)|(interfaces lo0)|(interfaces.* vlan-tagging)|(interfaces.* flexible-vlan-tagging)|(interfaces.* per-unit-scheduler)|(interfaces.* disable)|(class-of-service interfaces.* output-traffic-control-profile)|(interfaces .* hierarchical-scheduler)|(interfaces.*)"

 

Create a user test and map it with class "Test-permissions" and set a 6 digit plain text password.[For Ex- test123].

 

Then, exit the terminal and try to login to the device with the user  "test" login and "test123" password. Then, enter the configuration mode only by "configure private".

 

After Entering the configure private mode, the user cannot view the "show system login" command as the command is not in the allowed configuration list.

 

Lab output:-


login: test
Password:
Last login: Thu May 7 10:16:31 from 172.29.186.149

--- JUNOS 19.1R1-S4.2 Kernel 64-bit JNPR-11.0-20191223.5f5c7dc_buil
test@jtac-mx480-r2032-re0> configure ?
Possible completions:
private Work in private database (other's changes do not show)   -- Only 1 option.
test@jtac-mx480-r2032-re0> configure private
warning: uncommitted changes will be discarded on exit
Entering configuration mode
Users currently editing the configuration:
labroot terminal pts/1 (pid 15828) on since 2020-05-07 10:00:00 UTC, idle 00:28:05
[edit]

[edit]
test@jtac-mx480-r2032-re0# show system lo?   
Possible completions:
> location Location of the system, in various forms
[edit]
test@jtac-mx480-r2032-re0# show system login ---- "show system login is not allowed"
^
syntax error.

 

For making any change to the above configuration, you need to login back with the user having class super-user credentials and modify the configuration.

 

---------------------------------------------------------

Coming to the Configuration issue:-

 

Yes, the issue is with the existing configuration. You need to add - (interfaces .* unit .* family * inet * filter * input). The allow-configuration should first match the filter type and then the filter name.

 

allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input .*)|(interfaces .* unit .* family * inet * filter * input)";

 

I hope this helps. Please mark "Accept as solution" if this answers your query. 

 

Kudos are appreciated too! 

 

Best Regards,

Lingabasappa H

 

 

 

Highlighted
Junos

Re: Login class / allow-configuration / deny-configuration

3 weeks ago

Hello,

 

Added the missing line in the configuration, still getting the same error:

 

root@R2# show system login
class Test-permissions {
idle-timeout 60;
permissions all;
allow-commands "(configure private)";
deny-commands "(configure)|(configure exclusive)";
allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input .*)|(interfaces .* unit .* family * inet * filter * input);";
deny-configuration "(protocols bgp disable)|(protocols isis disable)|(protocols mpls disable)|(protocols ldp disable)|(system login)|(interfaces lo0)|(interfaces.* vlan-tagging)|(interfaces.* flexible-vlan-tagging)|(interfaces.* per-unit-scheduler)|(interfaces.* disable)|(class-of-service interfaces.* output-traffic-control-profile)|(interfaces .* hierarchical-scheduler)|(interfaces.*)";
}
user aminzat {
uid 2001;
class Test-permissions;
authentication {
encrypted-password "$6$qfy/0CzX$cs6NBTrl9gB58nV2nl/gNvq3Ms59SsDOMPH9YetK49XWz88BJ1o7PC8WTdn3L/IMT2YpPc9tylcBqvgeyclOK0"; ## SECRET-DATA
}
}

 

The result:

 

[edit]
aminzat@R2# set interfaces ge-0/0/8 unit 0 family inet filter input ?
Possible completions:
<filter-name> Name of the filter
tst [firewall filter]
[edit]
aminzat@R2# set interfaces ge-0/0/8 unit 0 family inet filter input tst
error: permission denied for interfaces: tst

[edit]
aminzat@R2# set interfaces ge-0/0/8 unit 0 family inet filter input tst
error: permission denied for interfaces: tst

[edit]
aminzat@R2# run show version
Hostname: R2
Model: mx960
Junos: 18.4R2.7

 

Regards,

Alex

Highlighted
Junos

Re: Login class / allow-configuration / deny-configuration

3 weeks ago

Hi rocketfkinscience,

 

Greetings, 

 

Can you add the below config and verify this? 

Add the below statement from your permitted used and commit. Open a new session for the aminzat after commit and then check again. Meanwhile, I will check on your specified version: Junos: 18.4R2.7 and Model: mx960.

 

set system login class Test-permissions allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input)|(interfaces .* unit .* family * inet * filter * input .*)"

 

 

Please mark "Accept as solution" if this answers your query. 

 

Kudos are appreciated too! 

 

Regards, 

Sharat Ainapur

Highlighted
Junos

Re: Login class / allow-configuration / deny-configuration

[ Edited ]
3 weeks ago

Hello Rocketfkinscience,

 

I see an extra semicolon [ ; ] at the end in the allow-configuration in the output you have attached.

 

allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input .*)|(interfaces .* unit .* family * inet * filter * input);";

 

I have performed the below test on  MX 480 - 19.1R1-S4.2 version and I was able to run the command.

labroot@XXXX> show version
Hostname: jtac-mx480-r2032-re0
Model: mx480
Junos: 19.1R1-S4.2

 

labroot@XXXX# show system login
class Test-permissions {
idle-timeout 60;
permissions all;
allow-commands "(configure private)";
deny-commands "(configure)|(configure exclusive)";
allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input .*)|(interfaces .* unit .* family * inet * filter * input)";


deny-configuration "(protocols bgp disable)|(protocols isis disable)|(protocols mpls disable)|(protocols ldp disable)|(system login)|(interfaces lo0)|(interfaces.* vlan-tagging)|(interfaces.* flexible-vlan-tagging)|(interfaces.* per-unit-scheduler)|(interfaces.* disable)|(class-of-service interfaces.* output-traffic-control-profile)|(interfaces .* hierarchical-scheduler)|(interfaces.*)";
}

user test {
uid 2000;
class Test-permissions;
authentication {
encrypted-password "$6$07JR2.fn$10HsjKLPDHj2.buTXLSAvDZ/6OThheF7ecDUSopU5uBr8S5wHi4W0RG4b1jq5b0pSyabkczrQFJzfGBsgMax9."; ## SECRET-DATA
}
}

 

Logged out from the "labroot" user and logged into the user "TEST"

 

login: test
Password:
Last login: Thu May 7 11:03:07 from 172.29.186.149

--- JUNOS 19.1R1-S4.2 Kernel 64-bit JNPR-11.0-20191223.5f5c7dc_buil

test@XXXX> configure private
warning: uncommitted changes will be discarded on exit
Entering configuration mode


[edit]
test@XXXX# set interfaces ge-0/0/8 unit 0 family inet filter input tst

[edit]
test@XXXX# show |compare
[edit interfaces]
+ ge-0/0/8 {
+ unit 0 {
+ family inet {
+ filter {
+ input tst;
+ }
+ }
+ }
+ }

 

Please copy-paste the below allow configuration on the device with "root" credentails.

 

#set system login class Test-permissions allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input .*)|(interfaces .* unit .* family * inet * filter * input)"

 

I hope this helps. Please mark this post  "Accept as solution" if this answers your query. 

 

Kudos are appreciated too! 

 

Best Regards,

Lingabasappa H

 

 

Highlighted
Junos

Re: Login class / allow-configuration / deny-configuration

3 weeks ago

Hello,

 

I didn't work.

Still getting the permission denied statement.

I will try on an actual physical device, as I was testing in a virtual environment.

 

Regards

Highlighted
Junos

Re: Login class / allow-configuration / deny-configuration

3 weeks ago

Hi rocketfkinscience

 

Yes, please check this on a physical device.

This worked on a lab device and that is the reason we shared the sample config. Please share us the version on the physical device after you try it. Also, I think you are logged in as root while making the changes and committing and then opening a new session to the new user after commit and then trying to command. Am I right in my understanding?

 

Regards, 

Sharat

Highlighted
Junos

Re: Login class / allow-configuration / deny-configuration

2 weeks ago

Hello,

 

It works on a physical device.

Thank you for the information provided.

 

Is there any documentation about this knob?

 

Regards.

Highlighted
Junos

Re: Login class / allow-configuration / deny-configuration

2 weeks ago

Hi rocketfkinscience, 

 

Greetings,

 

Per my understanding, there is no specific document for this.

Will recheck and update on you on this thread. Thanks.

 

Regards, 

Sharat